Rapid7 Blog

Weekly Metasploit Update: Another Meterpreter Evasion Option

POST STATS:

SHARE

Hopping Meterpreter Through PHP

This week, Metasploit landed and shipped the new Reverse HTTP hop stager for Meterpreter payloads, which opens up yet another avenue for pivoting about the Internet to connect to your various and sundry Meterpreter shells. This is kind of a huge deal.

For starters, this obviously helps with crossing artificial borders between networks. You may have an engagement target that has a vulnerable web server in a DMZ that's running PHP, so you can use that machine as a quick and easy Meterpreter pivot point into the nominally "separate" network on the other side.

In addition, this kind of hopping behavior can help a lot with staying undetected by the pen-test target's IDS and IPS. Imagine that you know that a certain machine or range is on an exclusion list for alerting (which is all to often the case when IT security folks are having trouble tuning out false positives from certain devices). The enterprising attacker can take control of that purposely-ignored device, pop stand up a quick Nginx server with PHP and start rerouting all his otherwise suspicious traffic through there.

If you're interested in seeing this bad boy in action, you're invited to check a screencast of the payload:

Tons of thanks to Matt @scriptjunkie Weeks for his effort on this, and for casually mentioning this feature at a recent hacker BBQ here in Austin.

New Modules

We've four new exploits and one new auxiliary module this week for Metasploit users, including one for the long-anticipated, recently disclosed Yokogawa vulnerability, CVE-2014-3888.

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows, either the totally free Metasploit Community Edition, or the 14-day free trial of Metasploit Pro. If you're the sort to track bleeding-edge development code, then these modules are but an msfupdate command away. For readers who are already using Metasploit Community or Metasploit Pro, you'll be able to install the new hotness today via the Administration : Software Updates button.

SHARING IS CARING

AUTHOR

Want more? Don’t miss these posts

After writing my last blog, I felt like some people might mistakenly conclude that my wife and I are unhappy with our decision to move to Northern Ireland. I admit to using this space to vent about horribly-run businesses a bit (still fighting for the…

Even the most non-technical audiences realize the business value in analyzing their log data. DevOps professionals are constantly being asked to monitor their application performance, and often rely on log data for troubleshooting, diagnostics and application systems monitoring. The challenge is that the amount of…

Featured Research

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Toolkit

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Featured Research

Rapid7’s Quarterly Threat Report leverages intelligence from our extensive network—including the Insight platform, managed detection and response engagements, Project Sonar, Heisenberg Cloud, and the Metasploit community—to put today’s shifting threat landscape into perspective. It gives you a clear picture of the threats that you face within your unique industry, and how those threats change throughout the year.